Hello, I'm learning Perl and wanted to know what precautions I should take for a guestbook-like addition to my webpage.

I want to use a form with a name field and a textarea for user comments. Using a Perl script I wrote, that information will go into a different html file. From there I will use a SSI on my homepage to put the form content, converted into html, into its own column.

In reading up on this, I find out the form can be tricked into running malicious programs on my server unless I take some precautions. O'Rielly's "CGI Programming" says I need to write some code to strip out some characters from the user input (; <>&*`|) to make it safe.

I can do that, but I want to know if there is anything else I should consider before trying this? Or is this not as dangerous as the book implies?

if you use CGI.pm (and you really should) to parse the form data you can use the escapeHTML() function to escape <>&" characters. If you use the form generating capabilities of CGI.pm then the escaping is done automatically. If you are using a "home-made" form parsing routine then just escape those characters using a sub routine.

strip_html($comments);

sub strip_html {
my $line = shift;
$line =~ s/&/&amp;/g;
$line =~ s/"/&quot;/g;
$line =~ s/</&lt;/g;
$line =~ s/>/&gt;/g;
return $line;
}

There is a good (and safe) free guestbook script here:

http://nms-cgi.sourceforge.net/scripts.shtml

Thanks for the script and the link. I'm still putting my version of this together so maybe I'll have a follow-up question in a day or so.